Sunday, August 10, 2014

In the previous post we dealt with setting up our collector. In this post we will acquire the memory contents of our suspect system for analysis.To do this let's execute the "RunRedlineAudit.bat", located in the folder we used previously when setting up our collector.

Once the .bat file is finished executing, you should now have an additional directory named "Sessions" in your parent folder. As we continue in the "Sessions" Folder, you will see a "AnalysisSession"+X folder, where X is a number. For me it is 1. Under the "AnalysisSession1" folder there should be a ".mans" file. Double click this file on the system which you have the Mandiant Redline software installed. Once you do this will then open up the file in Redline.In the next post, we will analyze this file.Reference:https://www.mandiant.com/resources/download/redline

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis